my application using jwt , should prevent replay attacks. testing ran following.
when have valid jwt , change last character of token/signature jwt still valid. e.g. following token validate correctly: eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijtb21lifrlc3qilcjjbgfpbsi6ilnvbwugq2xhaw0ifq.ukfysk7hsseiquosmdbxgboermfnuk0emk1722ny-r4 eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijtb21lifrlc3qilcjjbgfpbsi6ilnvbwugq2xhaw0ifq.ukfysk7hsseiquosmdbxgboermfnuk0emk1722ny-r5 eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijtb21lifrlc3qilcjjbgfpbsi6ilnvbwugq2xhaw0ifq.ukfysk7hsseiquosmdbxgboermfnuk0emk1722ny-r6 eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijtb21lifrlc3qilcjjbgfpbsi6ilnvbwugq2xhaw0ifq.ukfysk7hsseiquosmdbxgboermfnuk0emk1722ny-r7
i have checked on http://jwt.io/ , can reproduced in .net application well.
can explain how possible signature not unique given payload? understand collisions can occur, cannot explain consecutive sequences.
in special case you changing base64 url encoding of signature, not signature itself
the fourth base64 values encode same binary value. try converting hexadecimal @ http://kjur.github.io/jsjws/tool_b64udec.html
the value see is
52415848aee14927a2a9439231d6d781b384acc167b8ad049a4d7bdb69f2fabe if change suffix -r1 or -r8 binary value changes , signature validation fail
can 2 different base 64 encoded strings result same string if decoded?
Comments
Post a Comment